9250 Commits

Author SHA1 Message Date
Juan Antonio Osorio Robles
eb52c794d9 Add HorizonSecureCookies to environments/ssl/enable-tls.yaml
It was missing and breaking folks trying to use it.

Change-Id: I06c3a8499ce72973f850df60961226a168ba49e4
Closes-Bug: #1812211
2019-01-17 14:40:49 +02:00
Zuul
992dc37e7f Merge "Make ceph-ansible integration respect PythonInterpreter" 2019-01-17 11:17:01 +00:00
Zuul
243044e652 Merge "nova-libvirt: conditionalize selinux bind-mount" 2019-01-17 11:16:59 +00:00
Zuul
c296b305e0 Merge "Remove unused jinja code in network-isolation environment" 2019-01-17 01:49:46 +00:00
Zuul
c9d2f3b46d Merge "Make neutron ovs agent work with python3" 2019-01-17 01:26:14 +00:00
Zuul
1df2bd8d31 Merge "Per role Numa aware vswitch configuration" 2019-01-17 01:06:32 +00:00
Zuul
30f95926a9 Merge "Update manila environment file name in capabilities-map" 2019-01-16 22:53:58 +00:00
Zuul
3027b16fa6 Merge "Fix paunch logs verbosity control" 2019-01-16 22:53:28 +00:00
Zuul
4f9653cbdd Merge "implement default ssh-from-ctlplane rule via hiera" 2019-01-16 22:33:15 +00:00
Zuul
4d0ea9e119 Merge "Reuse the container in case we have a temporary podman failure" 2019-01-16 18:37:05 +00:00
Zuul
c9bccf43fa Merge "Assure that updates job is listed in both check and gate" 2019-01-16 18:37:02 +00:00
Zuul
e0a53f4429 Merge "Enable image inject metadata properties & user roles to be ignored" 2019-01-16 17:33:14 +00:00
Zuul
e7f7bd927e Merge "Transitioning to HAProxy 1.8" 2019-01-16 16:50:55 +00:00
Zuul
474d6b7b4f Merge "Run 'Delete Upgrade Flag and Unset it via Rest' only once" 2019-01-16 16:16:36 +00:00
Damien Ciabrini
de35766338 Make neutron ovs agent work with python3
Currently neutron_ovs_agent_launcher.sh unconditionally
runs neutron with the default python from /usr/bin/python,
so it is impossible to force it to use python3 if
/usr/bin/python points to python2.

Make the python interpreter overridable, by reusing the
existing Heat parameter "PythonInterpreter" and honouring
its value in neutron_ovs_agent_launcher.sh

Change-Id: I43c17de81603bd41e6503dd01d6f4ef452b7d533
Co-Authored-By: Michele Baldessari <michele@acksyn.org>
2019-01-16 17:13:08 +01:00
Bogdan Dobrelya
c5d1b6fb63 Fix paunch logs verbosity control
Make ConfigDebug also controlling the paunch logs verbosity.

Depends-On: https://review.openstack.org/614166
Related-Bug: #1799182

Change-Id: I89fd73eaa2120f06ab245be148a60bb08f0cb512
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-01-16 15:06:32 +00:00
Damien Ciabrini
34d0e5b020 nova-libvirt: conditionalize selinux bind-mount
on a F28-based container image nova-libvirt fails to
start in Podman if /sys/fs/selinux is bind-mounted
from the host, with the following logs:

2019-01-16 13:41:35.375+0000: 452430: error : virSecuritySELinuxQEMUInitialize:634 : cannot open SELinux label_handle: No such file or directory
2019-01-16 13:41:35.375+0000: 452430: error : qemuSecurityInit:425 : internal error: Failed to initialize security drivers
2019-01-16 13:41:35.375+0000: 452430: error : virStateInitialize:775 : Initialization of QEMU state driver failed: internal error: Failed to initialize security drivers
2019-01-16 13:41:35.375+0000: 452430: error : daemonRunStateInit:837 : Driver state initialization failed

Perform the bind-mount only when the ContainerCli is set
to 'docker'.

Change-Id: I7a2ca4fb1ff8ea5950fd52774c648af5ef274796
Closes-Bug: #1812013
Co-Authored-By: Michele Baldessari <michele@acksyn.org>
2019-01-16 15:55:55 +01:00
John Fulton
8f297c22e7 Make ceph-ansible integration respect PythonInterpreter
PythonInterpreter defaults to /usr/bin/python. If a user overrides
this default, e.g. to something like python3, then we should use it.
Modify ceph-base.yml to use the PythonInterpreter parameter. The
variable will already be set to ansible_python_interpreter by the
calling ansible execution.

Change-Id: If599855c00d0ab8861ea7f873d410f9a880d35be
Closes-Bug: #1811974
2019-01-16 14:20:42 +00:00
Cédric Jeanneret
704b6870ba Reuse the container in case we have a temporary podman failure
The "retry" patch[1] didn't take care of the existing container. This patch
intends to allow to reuse the container in case it has failed, in order to
avoid an error when the container is already existing.

[1] https://review.openstack.org/#/c/614639/

Change-Id: I5c7258c8687582f56b59ed410c0cc8f6ba4c2d4f
Context: https://github.com/containers/libpod/issues/1844
Related-Bug: #1811383
2019-01-16 14:07:12 +01:00
Zuul
d747625b82 Merge "Conditionalize docker socket bind-mount" 2019-01-16 11:44:58 +00:00
Zuul
c0b7d47084 Merge "docker-puppet: retry container run command" 2019-01-16 05:18:24 +00:00
Zuul
5c4f603580 Merge "Don't force Horizon's secure cookies to disabled" 2019-01-15 22:52:21 +00:00
Zuul
f89de7a569 Merge "Mount system modules when calling system iptables" 2019-01-15 22:33:36 +00:00
Emilien Macchi
d87efd29ed Conditionalize docker socket bind-mount
The socket is only needed when ContainerCli is set to 'docker'.
It only affects mistral executor and sensu-client containers, which were
the last containers relying on the socket.

For sensu-client, it was for healthchecks and they are being replaced by
systemd so the feature parity will be here.

For mistral-executor, it's needed by tripleo-validations running docker
CLI and they will have to run podman cli instead of docker.

Change-Id: I4e3d29a6eb65d871d7a1a935fcbd7bb98e7d1752
2019-01-15 22:49:01 +01:00
Zuul
52a70658ab Merge "Be explicit when passing vars into deploy steps" 2019-01-15 18:16:40 +00:00
Michele Baldessari
e26ef65e50 Transitioning to HAProxy 1.8
Haproxy 1.8 brings in a specific change that breaks us:
It removes the haproxy-systemd-wrapper which
we use in order to be able to reload the config file without
restarting the whole container (important in TLS scenarios).

We fix this by calling the haproxy binary directly and
using the master-worker mode (-Ws) which allows to receive
a SIGUSR2 command which will then reload the config for
all the workers. It should also not background.

This commit keeps backward compatibility with current HAProxy
to ease the transition to new HAProxy.

Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>

Change-Id: I93943efefa22b9107c85f9f5e0bd4c3c1ab867ed
2019-01-15 16:41:58 +00:00
Emilien Macchi
fda5b5ab3c docker-puppet: retry container run command
Context: https://github.com/containers/libpod/issues/1844
We have concurrency issue when podman is enabled, where
the bind-mounted entrypoint can't be found.

This patch will retry the podman run commands 3 times before declaring
a failure.
Also, everytime it fails we'll log the number of attempts to configure
the container. So we can track these numbers in CI.

I'll allow us to keep doing concurrent calls, but with less chance
to fail with the issue #1844.

Note: we hate this patch and we hope to revert it soon. But now it's how
we'll reduce issues in CI.

Change-Id: I6af89bf54e562e7c6bbcdb82041a7274789dcf28
Related-Bug: #1811383
2019-01-15 17:38:22 +01:00
Cédric Jeanneret
1bebfdcbdd Mount system modules when calling system iptables
In order to allow the system iptables to actually run from within a container,
we might need specific, per-kernel modules in order to avoid mismatches.

Currently, the only container having the system iptables mounted is the
haproxy_firewall thingy.

Change-Id: Idabc2da14413d953c8fe9effdd240dc250e7c64d
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1665598
2019-01-15 15:37:39 +01:00
Bogdan Dobrelya
35aae87301 Be explicit when passing vars into deploy steps
Implicit defaults hide issues with overring ansible variables as we
pass values in from deploy-steps.j2.

Make no implicit defaults for variables passed into deploy steps via
ansible vars. Only expect those take the values defined in the caller
deploy-steps.j2 playbook template. Add missing params and vars for
templates to propagate ansible values for external deploy/upgrade,
upgrade/update and post upgrade steps playbooks.

Make DockerPuppetDebug boolean to align with other booleans we pass
into deploy steps via ansible vars. Fix its processing in
docker-puppet.py, which is defaults for DockerPuppetDebug: ''
converted into 'false' in deploy steps tasks playbook, and then
that becomes always True in docker-puppet.py.

Related-Bug: #1799914

Change-Id: Ia630f08f553bd53656c76e5c8059f15d314a17c0
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-01-15 10:59:50 +01:00
Sorin Sbarnea
dc46a8684c Assure that updates job is listed in both check and gate
Fixes reported problem of job running only in check and not in gate:
tripleo-ci-centos-7-scenario000-multinode-oooq-container-updates

Change-Id: I7df8d811287c7605b1b406420de1eb17ae555346
2019-01-14 18:58:38 +00:00
Zuul
e8fd828d3b Merge "Remove default role-name from merge network param script" 2019-01-14 16:10:20 +00:00
Harald Jensås
2e36a4cfe9 Remove unused jinja code in network-isolation environment
Change I222873859af1b4ed1050cfffe55687b2f8d4c528 removed the
RedisVipPort using the {{primary_role_name}} jinja varialble.
The code to get the primary_role_name is no longer necessary.

Closes-Bug: #1808893
Change-Id: Id416786c85a48c598ccc8a9975bb07d7735df218
2019-01-14 12:49:56 +00:00
Zuul
b34baf9242 Merge "Add Swift container sharder service" 2019-01-14 10:18:39 +00:00
Zuul
0873bd805e Merge "Gracefully shutdown Mysql before upgrade." 2019-01-14 04:12:29 +00:00
Michel Peterson
5a8950c706 Run 'Delete Upgrade Flag and Unset it via Rest' only once
Currently the curl commands associated with this command run on all
controller nodes of the overcloud. Becuase the ODL URI is always the
same it's actually doing it against the same REST API every time,
causing problems with the optimistic locking ODL uses.

This patch adds extra error information and limits the execution of this
task to only once per playbook (i.e. just one controller).

Change-Id: I75aed2c0f412961c1eed2ff14e039a0baca09e8a
2019-01-13 10:14:02 +02:00
Zuul
512f59a8cf Merge "flatten tripleo-packages service configuration" 2019-01-12 19:03:19 +00:00
Harald Jensås
c740b54214 Remove default role-name from merge network param script
The merge-new-params-nic-config-script.py previosly had the
'Controller' role as the default for --role-name. It is not
obvious that this parameter must be changed when merging
nic config templates.

Remove the default and make the argument required. Improves
UX since user error is less likely.

Making the mistake of using a Role with too many networks
is'nt as forgiving since we now only pass parameters for
the role.networks.

Related-Bug: #1800811
Change-Id: Iff9e364db66ad09a30ac10a7814a3c01d50caf58
2019-01-12 13:16:18 +00:00
Zuul
0f4d029597 Merge "Add missing Ironic monitoring_subscription" 2019-01-12 06:49:25 +00:00
Zuul
975529a360 Merge "Update Barbican HSM ansible roles" 2019-01-12 04:58:53 +00:00
Zuul
9d8135482e Merge "Add missing Aodh monitoring_subscription" 2019-01-12 03:05:54 +00:00
Zuul
3fb321ac5a Merge "Enable virt_sandbox_use_netlink SELinux boolean for port healthchecks" 2019-01-12 03:05:39 +00:00
Zuul
618a6abf93 Merge "Fix files: for scenario003 standalone - pointing to wrong env" 2019-01-11 23:46:02 +00:00
Zuul
64fa74e376 Merge "Fall back service_net_map to ctlplane" 2019-01-11 15:13:21 +00:00
Dan Prince
2b8ecaa114 Add missing Aodh monitoring_subscription
These got dropped in the service flattening patches.

Change-Id: I8912a506a343b928f7857b08ab728608ee5dd2da
2019-01-11 09:55:55 -05:00
Dan Prince
e32663b1fe Add missing Ironic monitoring_subscription
These got dropped in the service flattening patches.

Change-Id: Id0f5da6be5bd4f9c12ea9a2dfd18e64ace35f451
2019-01-11 09:53:49 -05:00
Douglas Mendizábal
2dae0b05ec Update Barbican HSM ansible roles
As requested during the review of a couple of tripleo-common patches:

https://review.openstack.org/#/c/610629
https://review.openstack.org/#/c/626801

We've moved the tripleo-barbican-{vendor} ansible roles to third
party repositories.  This patch updates THT to use the new roles.

Change-Id: Ica54f812bbe5e53e771dcfd59004b28f7c7105b0
2019-01-11 14:26:43 +00:00
Jose Luis Franco Arza
0015cc7441 Gracefully shutdown Mysql before upgrade.
When upgrading from MySQL 10.1 to 10.3 a bug appears if no
shutdown is being performed, as the redo log format has
changed in version 10.3.2 [0].

Make sure we always stop the MySQL server cleanly before
upgrading to a new version, to avoid redo log issue.

Note: to be idempotent, we need to stop the mysql container
rather than delete it; to be able to stop the container, we
amend the restart policy of the mysql container.

[0] - https://jira.mariadb.org/browse/MDEV-14848

Change-Id: Ia07b7755867858c74c7334424e8e6579ace495db
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Closes-Bug: #1810136
2019-01-11 13:53:06 +00:00
Christian Schwede
ef1b85702a Add Swift container sharder service
This is a new service required for sharding containers.

It is disabled by default and can be enabled by setting the
SwiftContainerSharderEnabled to true.

Change-Id: I73119496ca6dd99b2f42f97529ad91273735c848
2019-01-11 14:50:02 +01:00
Cédric Jeanneret
d70d128aa0 Enable virt_sandbox_use_netlink SELinux boolean for port healthchecks
As healthchecks are using "ss" command, we need to allow contaier_t
to access a tcp diagnostic socket, at least for the port healthchecks.

This follows change I9ebdf09c36fd2c69d05128b584593b41d9144e56, triggered
by the neutron healthchecks. A second pass was necessary in order to
further check the calls of ss.

Change-Id: I27e4c860948667abc2c21df5ec9e01627f58465a
Related-Bug: #1810512
2019-01-11 08:19:18 +01:00
Zuul
653856c58f Merge "Deprecate duplicate NFV environment files" 2019-01-11 07:05:04 +00:00